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"(b) (3) -P. L. 8(5-36 


SUBJECT: Veterans Administration Request for Telecommunications Vulnerability 
Assessment 

1. Pursuant to the provisions of NSA/CSS Directive 10-30, the proposed 
simulated intrusion and COMSEC vulnerability assessment of the Veterans 
Administration (VA) computer systems is approved. The VA requested NSA to 
simulate an intrusion of their communications network and test of the VA 
Pilot System in a letter dated August 6, 1976 included as Inclosure 1. A 
Memorandum for the Record, dated 19 July 1977, discussing this matter is 
Included as Inclosure 2, 

2. The results of this vulnerability assessment will aid the VA in 

analyzing their need for encryption. ... 

3. Request you evaluate the legality of t his vu l nerabiltv . 

and render advice and procedures as necessary. 


?\W) 

|b)(3)-P.L. 86-36 



4, Please re search this matter | . — __ 

as soon as possible! The VA is eager tor NSA to begin this 


evaluation. 

5, This memorandum may be declassified upon removal of Inclosure 2* 
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/f RAYMOND T. TATE 



U Deputy Director, NSA 
for 

CONF I DENT I A L- Communications Security p pr 5ve3'7o?T-^ ©le as© by IMbA ^ 
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.M/R: As a result of an NSA-sponsored briefing, the Veterans Administration 

(VA) has requested NSA's assistance to determine the susceptibility of VA 
computer systems to 11 Phone Freak' 1 exploitation. This evaluati on has been 
delayed for several reasons, the most recent o f which, concerns! 


Memorandum for the Record, dated 19 July 1977 details NSA authority to 
Undertake this test, various restrictions to legislative and directive and 
a proposed solution. The memorandum was sent to U in the hopes that they 
would informally accept our proposal before we formally approached them. 
Unfortunately, progress has been slow. The proposed memorandum formalizes, 
our request for assistance and documents DDC approval in accordance with 
Agency directive which requires DDC approval for COMSEC surveillance 
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Veterans administration 

Department of Veterans Benefits 


Washington. d.C. 20420 


• 

Deputy Director 
Communications Security 
ATTN: Mr* Raymond T. Tate 

National Security Agency 
Fort George G. Meade, Maryland 

Dear Mr* Tate: 


/pS 06^75 


20755 

'Wl {3)-P.L, 86-36 


Recently, six members of my staff visited your installation for a 
threat briefing. The presentation vas very informative and assisted 
ub in our quest for available information to be used to determine if 
encryption is necessary for our forthcoming Target System, I appreciate 
your flexibility in re-scheduling this briefing when we encountered 
a last minute problem and could not a ttend the first scheduled — _ — 

briefing, I would also like to thank ) 

who have recently completed a preliminary assessment of the Target 
communications network. 


During the course of the briefing it was suggested that NSA has 
equipment available which could be used to simulate an intrusion 
into our communications network and on offer was made to test our 
Pilot System with the equipment. It is our opinion that this simu- 
lation would aid in analyzing our need for encryption. 

I will be pleased to discuss plans for the "simulated intrusion 
in more detail at your convenience. Any preparatory information 
may be obtained from Mr. J. Neil Rivers, Pilot/Target Security 
Manager - telephone 389-2125/2172. 


Sincerely, 



RALPH SMITH 

Director, Systems 
Development Service 


Xo.cS / 

Show MM 1 / full namt, VA fh numb". ani ndal ucutity numltr cn all centspondtnct. 
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- MEMORANDUM FOR THE RECORD • 19 July 1977 

I. Background ; 

As a result of an NSA-sponsored briefing, the Veterans Administration (VA) 
has requested NSA's assistance in determining the susceptibility of VA computer 
systems to ’’Phone Freak" exploitation. "Phone Freak" activity involves the 


manipulation of common carrier circuit switches to provide, among 
a toll free path for long distance calls. This is accomplished by 

ptbpr fhintfS-. — 



- ' • " 

| -functions" 

that 

safe- 


guard the privacy of telecommunications users. 

The three major topics of COMSEC concern relate to the unauthorized 
access to the AUTOVON system, illegal telephone monitoring of government 
communications via maintenance and/or busy verification switchboards, and access 
to government owned or operated computer systems; 


"'(b)d) 

(b)(3)- P.L. 86-36 


II, Authority ; 

A, National Security Council Communications Security Directive, dated 
26 August 1968. 

M (H)e (DIRNSA) shall: 

4.c, Evaluate and advise the Board and the departments and agencies 
concerned on the vulnerabilities of telecommunications to hostile exploitation. u 

Recommend basic doctrine, methods, and procedures to minimize COMSEC vulnerabilities. 

B. Presidential Executive Order 11905, dated 18 February 1976. 

•'Section _ 

The National Security Agency, whose functions, authorities and 
responsibilities shall include: 

(E) Serving under the Secretary of Defense as the central communications 
security authority of the United States Government. 11 

- C. DoD Directive C- 5 200. 5, "Communications Security (COMSEC) (U) n , dated 
13 April 1971. 

"Section HI.B. 

The Director, NSA shall be responsible for: 

3. Preparing, maintaining, and providing for the conduct of a 
COMSEC research and development program to insure the continuing security of 
federal telecommunications. . - 

•. . C!«v.5r*. ?-* 

EJCCailivi'**'/ 
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«. -Assessing 4 the adequacy of national COMSEC doctrine, procedures, 
and material* 11 ‘ 


III. Restrictions : 

A. Presidential Executive Order 11905, dated 18 February 1976 

"Section 5.b, 

Foreign intelligence agencies shall not engage in any of the 
following activities: 

(2) Electronic surveillance to intercept a communication which is 
made for, or is intended by the sender to be received in, the United States, 
or directed against United States persons abroad, except lawful electronic sur 
veillance under procedures approved by the Attorney General;” 


B. 18 U.S.C. 2510 Definitions 


"(l) "wire communications” means any communication made in whole or 
in part through the facilities for the transmissions of communications by the 
aid of wire, cable, or other like connection between the point of origin and the 
point of reception furni ^ed or operated by any person engaged as a common 
carrier in providing or operating such facilities for the transmission of 
interstate or foreign communications. 

(5) "Electronic, mechanical or other device” means any device or 
apparatus which can be used to intercept a wire or oral communications other 
than: . . 

C. 18 U.S.C. 2511 (1) 


f, » . . Any person who - 

l.b. Willfully uses, endeavors to use, or procures any other person to 
use or endeavor to use any electronic, mechanical, or other device to intercept 
any oral communication when: 

(1) Such device is affixed to, or otherwise transmits a signal 
through a wire, cable, or other like connection used in wire communications; or 

(iv) Such. use or endeavor to use (A) takes place on the premises 
of any business or other commercial establishment the operation of which affects 
. interstate or foreign commerce; 

l.d. Willfully uses, or endeavors to use, the contents of any wire 
or oral communications knowing or having reason to know that the information was 
obtained through the interception of wire or oral communications in violation 
v of this subtitle, 

shall be fined not more than $10,000.00 or imprisoned^ not more than five years, or 
both,” ... 
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' D. ‘ 16'D.S.C. ^Ll ,(2) ' 

' - ‘ "C. It shall not be unlawful under this chapter for a person acting 

under color of law to Intercept a wire or oral communication, where such person 
is a party to the communication ox one of the parties to the communication has 
given prior consent to such intercept. 

I 

D. It shall not be unlawful under this chapter for a person not 
- acting under color of law to intercept a wire or oral communication where 
such person is a party to the communication or where one of the parties has 
given prior consent to such intercept unless Such communication is intercepted 
for the purpose of committing any crime or tortious act . * •" 

E, 47 U.S.C. 605 Communications Act of 1934 

Makes it a crime to divulge or publish the content or existence of 
intercepted communications or use for personal benefit the contents of such 
intercepted communications, 

IV. Discussion : 

NSA is charged with the responsibility to evaluate telecommunications 
vulnerabilities within the federal government:. The Veterans Administration, 
an independent federal agency not directly affiliated with the Department of 
Defense, has requested NSA to evaluate and' advise concerning the vulnerability 
of Its computer systems to manipulation by ’’Phone Freak" activity by access 
and circumvention of common carrier circuit switch call routing functions. NSA 
also has the responsibility to investigate and evaluate telecommunications 
vulnerabilities, such as those posed by "Phone Freak." activities where exploitation 
of government communications and or systems are involved. 

Generally, statutory and Executive Order restrictions placed on surveillance 
activities are directed at the protection of communications content. Experimentation, 
verification and documentation of circuit switch manipulations may be construed 
to be within the scope of the Omnibus Crime Control and Safe Streets Act of^l968, 

18 U.S.C. 2510 et seq . where signalling tests are within the definition of "wire 
communications". However, such derived information does not relate to communications 
content protection under the statute, but rather information concerning the 
operation of the communications system. 

However, 18 U.S.C, 2511 (2) removes consentual monitoring from the 
jurisdiction of this statute and would permit signalling tests and communications 
content monitoring provided proper and informed consent was first obtained. 

V- Conclusion : 

It would appear the evaluation of VA's telecommunications vulnerabilities 
can be accomplished lawfully, provided: 
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^ . Xm a Consent is received from VA (access to its computer systems), 

2. Consent is received from the person whose VA file will be accessed or. 

In the alternative, 'a fictitious computer file is created for purposes of this test. 


3. Safeguards are taken to ensure that no other VA computer file may be , 
accessed during the course of this test or in the alternative, an authorized VA 
employee will manipulate the computer file. 
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Mr. W* BU Martin 

Chief Data Management Director 

Department of Data Management 

Veterans Administration 

810 Vermont Avenue, N.W. 

Washington, DC 20420 

Dear Mr. Martini 


Please refer to your letter, 30/32* dated 22 July 1977. In December 
1976, we agreed to help the Veterans Administration carry out tests of 
the TARGET system. We expected to have these tests completed by now so 
that VA could better use the results and conclusions of our paper, 

"Threat Analysis of the Compensation, Pension and Education ADPS System”, 
dated 1 July 1976, to decide If the system requires additional protection. 
However, legal questions have prevented us from proceeding with these 
tests. After reviewing the situation, we concluded that this Agency should 
not participate in such tests „ We reached this decision because we believe 
there already exists sufficient evidence to support the conclusions of our 
paper and because of the legal questions our participation might raise. 


We understand your desire to resolve questions concerning system 
security requirements as soon as possible* We can help you in two ways. 
First, we will be pleased to discuss the applicability for your requirement 
riOTrtrpg tfl those planned for use by the Federal Reserve Board. 

688-7110, la prepared to answer questions about 


those devices. 

Secondly, we can discuss with you the conclusions of our analysis 
paper and the information we have to support these conclusions. Such 
" discussions may help you interpret these conclusion s and ap ply them in 

making your plans. Our point of contact for this la 

telephone 683-6015. , - 


Sincerely, 


(b)(3)-P.L 86-36 


RAYMOND T. TATS 

Depufy Direcfroir, WSA 
for 

Communications Security 


approved for Release by NSA or 
j3.'?5-?009 FOIA Case #47651 


rnnrTnrarrTW m/r attached 
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leading (I) 
Reading 


U1 


Sub j ect 


M/R: The following is a brief chronology of events leading to this letter, 

1„ In Aug 1976, S4 sent to VA a paper analyzing vulnerabilities in their 
new data processing system. We did the analysis to provide them information 
so they could justify including or not including encryption of the system s 
communicatlona . 

2. At a meeting with VA in July 19 76, we discuaeed wi th them the possibility ^ 

of trying to penetrate their system | 1 ~ wst-P-L. 

3. In August 1976, VA wrote to HSA asking that we help them perform such 
an attack, 

4. I$e spent the next few months investigating the legal ramifications of 
our participating in such a test. Finally, in December 1976, we wrote to 

VA offering to assist them and s aying we would need Information from them 

’ 1 We thought then thatr^we could proceed without 


88-36 


further legal problems” 


5. 


tried -unsuccessfully _to get informs tion[ 


We periodically spoke to Mr. Rivers at VA to tell feta we sjex& T _ 
having difficulty getting th e information. Finally, f _ . _ _ . - • Ingreed 


to provide the informati on to| 


wn> 

5b)(3)-P. 


i»(i) 

(3)(3)-P. 


<W(1> 

(M( 3 )-P 


(b) <3)-P:L. 


6, S04 then discussed the process for approval with ADLA personnel. In 
August 1977, S04 prepared a Memorandum from DDC to ADLA requesting that ADLA 
obtain the needed approval. This memorandum is attached as a reference. 

7. In late July 1977, we received a letter from VA asking \\ox3 we were . 
progressing. They also asked for a status report on 


_r 


-F.L. oO-JO 


This letter responds to VA f s lett^ 
extension of the suspense bgcaugg 
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